Disable AWS Services using Provider Management APIs

Overview

This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

Empty array [] = All available AWS services are enabled for discovery
Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

You have API access credentials for your Veza instance (see Authentication for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)
You have appropriate permissions to modify provider configurations
You understand that empty services arrays mean ALL services are enabled

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws"

Understanding the response:

Providers with empty services: [] arrays have ALL services enabled
Providers with populated services arrays only extract the listed services
Note the id, name, and account_id fields for providers you want to modify

Example response structure:

{
  "values": [
    {
      "id": "12345678-1234-5678-9012-123456789012",
      "name": "Production AWS Account", 
      "account_id": "123456789012",
      "services": [],
      "state": "ENABLED"
    },
    {
      "id": "87654321-4321-8765-2109-876543210987",
      "name": "Development AWS Account",
      "account_id": "987654321098", 
      "services": ["S3", "RDS_POSTGRES", "LAMBDA"],
      "state": "ENABLED"
    }
  ]
}

Step 2: Identify target providers and services

Identify which providers to modify based on:
- Provider names that match your AWS accounts
- Account IDs that correspond to your AWS accounts
- Current services configuration

Determine your desired services configuration:

Option A: Disable DATABRICKS only

{
  "services": [
    "REDSHIFT", "REDSHIFT_CLUSTER", "S3", "RDS_POSTGRES", "RDS_MYSQL", 
    "RDS_ORACLE", "RDS", "DYNAMODB", "KMS", "EMR", "ORGANIZATIONS", 
    "EC2", "SSO", "COGNITO", "LAMBDA", "EKS", "SECRETS_MANAGER", 
    "ECR", "AWS_IAM"
  ]
}

Option B: Enable only specific services

{
  "services": [
    "S3", "RDS_POSTGRES", "LAMBDA", "EC2", "AWS_IAM"
  ]
}

Option C: Custom configuration

Review the available services list below
Create your own array with desired services

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

# Replace with your actual provider ID and desired services
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":["S3","RDS_POSTGRES","LAMBDA","EC2","AWS_IAM"]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Verify the change:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Update each provider individually using their specific IDs:

# Example for multiple providers - replace with your actual IDs and services
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

# Provider 1
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_1"

# Provider 2  
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_2"

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

#!/bin/bash

# Configuration - CUSTOMIZE THESE VALUES
VEZA_URL="https://yourcompany.cookiecloud.ai"
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

echo "Starting bulk AWS provider services update..."
echo "Target services: $DESIRED_SERVICES"
echo ""

# Get all AWS provider IDs
provider_ids=$(curl -s -H "Authorization: Bearer $VEZA_TOKEN" \
                    "$VEZA_URL/api/v1/providers/aws" | \
               jq -r '.values[].id')

if [ -z "$provider_ids" ]; then
    echo "Error: No AWS providers found or API call failed"
    exit 1
fi

# Count providers
provider_count=$(echo "$provider_ids" | wc -l)
echo "Found $provider_count AWS providers to update"
echo ""

# Add confirmation prompt
read -p "Continue with bulk update? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Update cancelled"
    exit 0
fi

# Update each provider
echo "$provider_ids" | while read provider_id; do
    if [ -n "$provider_id" ]; then
        echo "Updating provider: $provider_id"
        
        response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X PATCH \
                        -H "Authorization: Bearer $VEZA_TOKEN" \
                        -H "Content-Type: application/json" \
                        -d "{\"services\":$DESIRED_SERVICES}" \
                        "$VEZA_URL/api/v1/providers/aws/$provider_id")
        
        http_status=$(echo "$response" | grep "HTTP_STATUS" | cut -d: -f2)
        
        if [ "$http_status" = "200" ]; then
            echo "✓ Successfully updated provider $provider_id"
        else
            echo "✗ Failed to update provider $provider_id (HTTP $http_status)"
            echo "Response: $(echo "$response" | grep -v "HTTP_STATUS")"
        fi
        echo ""
    fi
done

echo "Bulk update completed"

Step 5: Verify changes

After updating providers, verify the changes took effect:

# Check all providers
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws" | \
jq '.values[] | {id: .id, name: .name, services: .services}'

# Check specific provider
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID" | \
jq '{id: .id, name: .name, services: .services}'

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":[]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Modify service configuration

To change which services are monitored:

# Example: Enable different set of services
NEW_SERVICES='["S3","LAMBDA","DYNAMODB","EC2"]'

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$NEW_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Available AWS services

The following AWS services can be included in the services array:

S3 - Simple Storage Service
RDS_POSTGRES - PostgreSQL databases
RDS_MYSQL - MySQL databases
RDS_ORACLE - Oracle databases
RDS - General RDS service
DYNAMODB - DynamoDB NoSQL database
REDSHIFT - Redshift data warehouse
REDSHIFT_CLUSTER - Redshift cluster management
EC2 - Elastic Compute Cloud (virtual machines)
LAMBDA - Serverless functions
EKS - Elastic Kubernetes Service
ECR - Elastic Container Registry
EMR - Elastic MapReduce (big data)
AWS_IAM - Identity and Access Management
KMS - Key Management Service
SECRETS_MANAGER - AWS Secrets Manager
COGNITO - User authentication service
SSO - AWS Single Sign-On
ORGANIZATIONS - AWS Organizations
DATABRICKS - Analytics platform

Important notes:

Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers